Originally posted by GATTACA:
Hello.
I'm trying to mount my RedHat 9.0 Linux directory onto my Powerbook G4. Since the I.T. people in my department are EXTREMELY paranoid about security, Samba has been disabled on the Linux box since it's a 'security issue'. That leaves only NFS.
I don't have a problem mounting NFS. I can go to the 'Connect to Server' menu option and type in the address box:
nfs://computer_name/path/I/want/to/mount
This mounts the directory on my desktop as a folder. However I don't get Read/Write permissions for this directory. The I.T. people tell me the reason for this is that altough the log-in IDs are the same on both my Powerbook and the Linux Box, my passwords are different. Thus Linux won't allow me Read/Write access to the NFS share.
My questions are:
1) Is this true? Is the only reason I can't access the NFS share simply due to a password problem?
2) Assuming the answer to question 1 is yes. Is there a work around other than changing my Powerbook password to match my Linux Box password?
Any suggestions?
First, NFS is certainly no *more* secure than Samba. The reason for this is "NFS trusts the network and machine". IOW anyone who has root access to a box on the LAN can mount the NFS share(s). By default the root user on a client machine can not access a users home folder. The root user on the client can only access NFS shares that are world readable and similarly can only write to NFS share that are world writeable.
However... the root user on an NFS client can create a user and group on the client with uid and gid that match any user on the server and can then "su - userid" on the client and have complete access to their home folder.
Samba, OTOH, "trusts the user". IOW a user has to log in and authenticate to the Samba server in order to mount their home folder (or any other share that they are allowed to access).
Naturally, both Samba and NFS are quite tuneable as far as security goes.... and the above only covers one aspect of their security models. The fact still remains that for exporting users home folders read/write over a LAN NFS is NOT MORE secure than Samba... in most cases it is LESS secure. If your IT people haven't read it yet... they should read and understand:
http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
Samba, by default, inherits most all of the security issues involved with Windows SMB filesharing. The usual methods for keeping Samba secure are more or less similar to the methods for NFS. In addition a Samba server MUST be firewalled from the internet.
With all that said....
1) Is NOT true. The most likely reason you can not access your shares/folders on the NFS server is due to UID and GID mismatch.
For YOU to fix this problem:
ssh to the server using the userid that is configured for you on the server and run the following command.
which will return something like this:
Code:
[gattaca@server gattaca]$ id
uid=500(gattaca) gid=500(gattaca) groups=500(gattaca),517(webmaster),522(multimedia),511(docs)
(yours will almost certainly look different)
The main part you are interested in is the numbers for uid, gid, and groups. You need to have the same matching numbers on your Mac OS X box. The actual username and group name DO NOT have to be the same. Unix/Linux/Mac OS X actually does it all by the numbers (uid and gid)... which then maps it to the username and groupname via NetInfo on Mac OS X and /etc/passwd on Linux/Unix (or NIS but that is a different subject).
Now, in the example above user gattaca has uid and gid of 500 on the server. In order to match things up on your client Mac OS X machine you will need to set your uid and gid to 500. To compare... on your Mac OS X client open a terminal and type:
which will return something like this:
Code:
[macosxbox:~] gatt% id
uid=501(gatt) gid=20(staff) groups=20(staff), 0(wheel), 80(admin)
(yours will almost certainly look different). You will need to change your usid and gid on the Mac OS X client AND do a recursive chown on your home folder. There are probably commandline methods for doing this but it I don't know them. I would use the NetInfo manager app. HD --> Applications --> Utilities --> NetInfo Manager. You will probably have to click on the lock in order to make changes and enter the root password. Then select users --> gattac and edit your uid and gid... from the example above... set them to 500 and 500. Save you changes.
Now open a terminal (you may have to enter your password). And do an ls -l on your home folder. You will see that the owner of each file is "501" instead of "gatt" so you will have to change some all that with:
Code:
cd /Users/
sudo chown -R gatt.staff gatt/
It may spit back a bunch of errors but it seems to work anyhow. Then check to see that you can access files in your home folder on the Mac. Also check to see that you can access the folders and files on the NFS share.
The above method SHOULD work (I tested it here).
There is alternatively something your IT staff can do but somehow I am not so confident in their abilities... it could also lead to complications on the server for other NFS users... because group (gid=20(staff)) is common amongst Mac OS X systems.
Let me know if you have any problems or questions.
Top
